Embedding hidden files in jpeg images Tested target : FaceBook (other known working target : flickr)

(Antoine Santo 30-01-2011) 0. - Introduction 1. - The FaceBook process 2. - The embeddin process 2.0. - !e need some "i#es 2.1. - $ncodin the "i#e %ou &ant to embed 2.2. - In'ectin the encoded "i#e in the container 'p ima e 3. - (et)s tr% it on FaceBook *. - $+ctract the hidden document "rom the ima e ,. - -onc#usion and potentia# uses .. - Author

--/ 0. - Introduction
This document describes the techni0ue to embed an% kind o" "i#e in a 'p ima e1 then up#oad it as a tri2ia# ima e to "acebook photo a#bum. This research &as made to understand ho& "acebook process ima es in-order to pre2ent abuses o" it and su est so#utions. 3isc#aimer4 !hen usin parts "rom this paper1 %ou shou#d sti## credit the author. I &on)t be he#d responsib#e "or the dama es done to %ourse#" or others nor "or i##e a# uses. It)s at %our o&n risk. This paper uses no speci"ic kno&#ed e e+ecept basics about 'p "ormat1 d #ibrar% and base .* encodin .

--/ 1. - The FaceBook process

Facebook a##o&s its subscribers to create photo a#bums and to up#oad photos. Facebook a##o&s the sendin o" #ar e1 hi h reso#ution pictures1 since resi5in &i## be done b% the site automatica##%. It seems that "acebook keeps the $6IF data o" the ori ina# ima e "or the resi5ed photo.

--/ 2. - The embedding process

3urin the di""erent steps o" the process1 notice the si5e o" each "i#e.

----/ 2.0. - We need some files 7ou need a container ima e 4


AntoineX tmp # ls antoine.jpg -la -rw-r--r-- 1 a.santo a.santo 1359 28 janv. 11:08 antoine.jpg AntoineX tmp # file antoine.jpg antoine.jpg: J !" image #ata$ 50%50 J&'& stan#ar# 1.01

And %ou need the "i#e %ou &ant to embed to it. I &i## use a music "i#e ca##ed 8 guitar.mp3 9
AntoineX tmp # ls g(itar.mp3 -la -rw-r--r-- 1 a.santo a.santo 21))5)0 2* janv. 1):5+ g(itar.mp3

----/ 2.1. - $ncoding the file you For this step i use uuencode
AntoineX tmp # ((en,o#e --version ((en,o#e -"./ s0ar(tils1 +.10

ant to embed

I use the 8 -m 9 parameter to encode it usin base.*.

AntoineX tmp # ((en,o#e -m g(itar.mp3 g(itar.mp3 2 g(itar.((e

AntoineX tmp # ls g(itar.((e -la -rw-r--r-- 1 a.santo a.santo 293)92* 28 janv. 12:00 g(itar.((e

----/ 2.2. - Injecting the encoded file in the container jpg image :ere is the 8 magic , i in'ect the encoded "i#e in the 'p ima e usin the $6IF 8 -omment 9 "ie#d. For this i use the e+i"too#.
AntoineX tmp # e%iftool -ver 8.25

I use the 8 ;< 9 parameter o" e+i"too#1 that a##o&s to use a "i#e content to "i## an $6IF "ie#d.
AntoineX tmp # e%iftool -3omment4564g(itar.((e antoine.jpg 1 image files (p#ate# AntoineX tmp # ls antoine.jpg -la -rw-r--r-- 1 a.santo a.santo 2938+)) 28 janv. 12:11 antoine.jpg AntoineX tmp # file antoine.jpg antoine.jpg: J !" image #ata$ 50%50 J&'& stan#ar# 1.01

I no& ha2e a nice and tin% ,0+,0 'p ima e embeddin a 2= >B mp3 "i#e.

--/ 3. - !et"s try it on FaceBook

I #o on to m% FaceBook account1 then up#oad this ne& ima e to m% a#bum ca##ed 8 test 9

(et)s &ait some minutes 4

Then 4

So1 it)s seems there &as no prob#em about m% ima e "or the "acebook process. (et)s ha2e a #ook at the ima e on the "acebook -3? ser2ers.

As %ou can see m% tin% ,0+,0 ima e is 21@>B... And it)s disp#a%ed &e## on m% FaceBook pro"i#e.

--/ *. - E#ctract the hidden document from the image

First i &i## do&n#oad the ima e 4

AntoineX tmp # wget 0ttp:77sp0otos.a8.f9,#n.net70p0otos-a8sn,)70s2),)7180*9):1*55+51199**5:10+3*95101:3199911):81)+52*:n.jpg -; antoine:from:&<.jpg --2011-01-30 15:++:5)-- 0ttp:77sp0otos.a8.f9,#n.net70p0otos-a8sn,)70s2),)7180*9):1*55+51199**5:10+3*95101:3199911):81)+52*:n.jpg =>sol(tion #e sp0otos.a8.f9,$$$ ... 3onne%ion vers sp0otos.a8.f9,,onne,t>. re@(Ate BCC transmise$ en attente #e la r>ponse...200 ;D Eong(e(r: 29+151) -2$8F1 Gimage7jpegH Ia(vegar#e en : Jantoine:from:&<.jpgK 100L G6666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666 6666666666666666666666666666666666666666666666666666666666662H 2 9+1 51) +8$3D7s #s 5+s 2011-01-30 15:+5:51 -53$5 D<7s1 - Jantoine:from:&<.jpgK sa(vegar#> G29+151)729+151)H AntoineX tmp # ls antoine:from:&<.jpg -la -rw-r--r-- 1 a.santo a.santo 29+151) 1 janv.



As %ou can see the ima e si5e is a #itt#e bit di""erent "rom the ima e i up#oaded. I think the ima e has been re&orked b% A31 but it keeps our $6IF "ie#d unchan ed. Then "or the second step i need to remo2e the 'p header (2* B%tes) 4

AntoineX tmp # ## if6antoine:from:&<.jpg of6antoine:from:&<.((e 9s61 s8ip62+ 29+1+92M0 enregistrements l(s 29+1+92M0 enregistrements >,rits 29+1+92 o,tets -2$9 F<1 ,opi>s$ 8$)9212 s$ 338 8<7s

!e no& ha2e a "i#e ca##ed antoine_from_FB.uue. (ets see the "irst #ine o" this uue "i#e 4
AntoineX tmp # 0ea# -n 1 antoine:from:&<.((e 9egin-9ase)+ )++ g(itar.mp3

So &e can read that1 the uudecodin process &i## enerate a "i#e ca##ed guitare.mp3
AntoineX tmp # ((#e,o#e antoine:from:&<.((e AntoineX tmp # ls g(itar.mp3 -la -rw-r--r-- 1 a.santo a.santo 21))5)0 30 janv. 15:5) g(itar.mp3 AntoineX tmp # file g(itar.mp3 g(itar.mp3: A(#io file wit0 'N3 version 2.+.0$ ,ontains: F !" ANCI$ laOer '''$ v1$ 128 89ps$ +8 8BP$ JntItereo

--/ ,. - $onclusion and potential uses

This &hite paper sho& the abi#ti% to hide an% documents in a simp#e 'p "i#e1 and the permission to up#oad it on a &eb site #ike FaceBook. It means1 abusin space stora e1 band&ith o" a &ebsite. The second dan erous aspect o" this1 is that the abused &ebsites can)t contro# the hidden embedded documents. Is this #e a# B :ere is t&o simp#e potentia# uses on FaceBook 4 Someone creates a FaceBook roup ca##ed 8 c#ouds #o2ers 9. Some FaceBook users 'oin the roup. The% are a## sharin c#ouds pictures 2ia the roup)s picture "aci#it%. A## this seems per"ect#% #e a# and it)s nice to see peop#e #o2in c#ouds so much CCC BUT it can be a D$3E roup sharin hidden stu"" in thoses c#ouds pictures..... Someone creates a FaceBook roup ca##ed 8 Fo##in Stones Fans 9. Some FaceBook users 'oin the roup. The% are a## sharin Fo##in stones a#bum co2er 2ia the roup)s picture "aci#it%. A## this seems per"ect#% #e a# BUT it can be a &are5 roup1 sharin mp3 in ima es..... and "or these t&o e+emp#es1 a## the i##e a# content &ou#d be hosted b% FaceBook -3?... Since the ima es "rom the -3? are accessib#e &ithout an% FaceBook account1 the &ho#e internet can acces the i##e a# stu""....

--/ ,. - %uthor
Antoine Santo (durin independant research) For 0uestions 4 antoinesanto / a t G %ahoo / d 0 tG com ?o b#o H ?o t&itter H ?o !ebSite I)

